- Editor’s Note: This article will be updated when more-specific information is provided by Capital One or U.S. government sources.
If you want to learn more about the Capital One cyber incident, please visit https://t.co/bIZD0VBMSk
— Capital One (@AskCapitalOne) July 30, 2019
The accounts of more than 100 million Capital One users were hacked by a Seattle woman and former software engineer.
According to the Capital One website, the Department of Justice, the FBI, the FTC and multiple media reports, the breach is one of the biggest in history, allowing access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information.
“We will notify affected individuals through a variety of channels,” Capitol One officials said in a news release. “We will make free credit monitoring and identity protection available to everyone affected.”
Scroll down for FAQs from Capitol One.
For more information about this incident and what Capital One is doing to respond, visit www.capitalone.com/facts2019.
How It Happened
According to a Department of Justice news release, Paige A. Thompson, aka erratic, 33, made her initial appearance Monday (July 29, 2019) in U.S. District Court in Seattle and was ordered detained pending a hearing on Aug. 1.
According to the criminal complaint, Thompson posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data.
“The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” the DoJ said.
A GitHub user who saw the post alerted Capital One on July 17 to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.
Cyber investigators were able to identify Thompson as the person who was posting about the data theft. On Monday, agents executed a search warrant at Thompson’s residence and seized electronic storage devices containing a copy of the data.
The criminal complaint says Thompson tried to share the information with others online. According to CNN, the 33-year-old had previously worked as a tech company software engineer for Amazon ( ) Web Services, the cloud hosting company that Capital One was using. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Capitol One chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Fairbank said no credit card account numbers or log-in credentials were compromised and more than 99 percent of Social Security numbers were not compromised.
FAQs From Capitol One
The following are FAQs as posted on the Capitol One website.
What was the vulnerability that led to this incident?
We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment. Among other things, we also augmented our routine automated scanning to look for this issue on a continuous basis.
How did you discover the incident?
Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.
When did this occur?
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019.
Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.
However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected.
Did this vulnerability arise because you operate on the cloud?
This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.
The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.
What are the expected financial impacts of the incident?
We expect the incident to generate incremental costs of approximately $100 million to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support.
We expect to accrue the costs for customer notification and credit monitoring in 2019. The expected incremental costs related to the incident will be separately reported as an adjusting item as it relates to the company’s financial results.
For years we have invested heavily in cybersecurity and we will continue to do so. Beyond the adjusting item in 2019, we expect any incremental investments in cybersecurity to be funded within our current budget.
The company carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million. The timing of recognition of costs may differ from the timing of recognition of any insurance reimbursement. Gains on insurance recoveries associated with the incident will also be treated as an adjusting item as it relates to the company’s financial results.
The company is affirming its existing efficiency guidance, which in all cases is net of adjustments. The company expects to achieve modest improvement in 2019 annual operating efficiency ratio compared to the 2018 annual operating efficiency ratio.
Relative to 2019, the company also continues to expect modest improvement in 2020 annual operating efficiency ratio. And the company continues to expect annual operating efficiency ratio to be 42 percent in 2021. The company continues to expect that improvements in operating efficiency ratio will also drive significant improvement in annual total efficiency ratio in 2021.
SOURCE: Capitol One website
FTC: Equifax Data Breach Update
You can get free credit monitoring services. Or, if you already have credit monitoring services, you can request a $125 cash payment
You may also be eligible for the following cash payments up to $20,000 for:
- The time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour.
- Out-of-pocket losses resulting from the data breach.
- Up to 25% of the cost of Equifax credit or identity monitoring products you paid for in the year before the data breach announcement.
SOURCE: Federal Trade Commission Facebook page